b'Annual Report, \xe2\x80\x9cFederal Information Security Management Act: Fiscal Year 2009 Report\nfrom the Office of Inspector General\xe2\x80\x9d (IG-10-001, November 10, 2009)\n\nThis annual report, submitted as a memorandum from the Inspector General to the NASA\nAdministrator, provides the Office of Management and Budget (OMB) with our\nindependent assessment of NASA\xe2\x80\x99s information technology (IT) security posture. For\nFY 2009, our audit included a review of 24 non-national security Agency systems and\n5 non-national security external systems. Our sample included systems from all\n10 NASA Centers, NASA Headquarters, and the NASA Shared Services Center.\n\nBased on our review of the 29 systems, we reported NASA\xe2\x80\x99s compliance with FISMA\nand Agency privacy management requirements. Overall, the Agency complies with\nrequirements, although there is room for improvement.\n\nOur report to OMB cited general compliance with system certification and accreditation\nrequirements. However, we identified internal control weaknesses related to the\nPOA&M process, operating system configuration management, security controls testing,\nand contingency plan testing. In addition, we found that oversight for external systems\ncould be improved.\n\nWe also evaluated Agency compliance with Privacy Act requirements and determined\nthat policies, procedures, and internal controls were in place to adequately protect\nemployees\xe2\x80\x99 personally identifiable information (PII).\n\nOMB\xe2\x80\x99s FY 2009 Report to Congress on the Implementation of The Federal Information\nSecurity Management Act of 2002 includes information from our report. However, as an\n\xe2\x80\x9cIntra-Agency Memorandum,\xe2\x80\x9d our report is considered exempt from release under the\nFreedom of Information Act (FOIA); it also contains NASA Information\nTechnology/Internal Systems Data that is not routinely released under FOIA. To submit\na FOIA request, see the online guide.\n\x0c'